System at a vehicle for debiting at automatic fuelling

ABSTRACT

System for automatic fuelling of a vehicle and debiting for fuel obtained. A transponder is provide on the vehicle for the positioning of a fuelling robot and includes coded information to be utilized for the debiting function.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a system for debiting therefore forcosts of automatic fuelling, of a vehicle where the driver does not haveto leave the vehicle for paying the filled fuel.

2. Decription of the Related Art

Automatic fuelling of vehicles is known, among others from the Swedishpatents 8403564-1 and 9002493-6, that show solutions where the positionof the filling point of the vehicle is automatically measured by meansof microwave technology, in that a fuelling robot senses the position ofa position giving transponder assembled for the purpose close to thefilling point of the vehicle. In this way a comfortable, safe and fastfilling of fuel is obtained, without the driver having to step out ofthe vehicle.

Since usually a payment/debiting is related to the filling of fuel, itis also desirable to find solutions allowing that the payment operationitself does not require leaving the vehicle, since otherwise a big partof the advantages with automatic fuelling would be lost.

Hereby information about account, fuel quality etc can be stored in atransponder on the vehicle, for example in the transponder unit that isused for measuring of the filling point position. Thereby the cost for aspecial data carrier and reader for the debiting is avoided, sincecommon system components are used for the position measurement as wellas for the debiting.

An aim with the present invention is to enable automatic debiting duringautomatic fuelling of vehicles and without the driver having to step outof the vehicle, and where the total cost of the system has beenminimized.

A second aim with the invention is to solve the theft demand problemsfor a transponder on a vehicle that may occur when using debitingfunctions in the transponder.

A third aim of the invention is to provide a solution that allows anaccurate measurement of the position of the transponder as well as thatthe transponder is communicated with data.

A fourth aim of the invention is to enable an off-line function, i.e.that the system shall not have to call data central to match the datacode of the transponder with a personal code related to the driver ofthe vehicle and/or the fuelling place.

A fifth aim of the invention is to enable also the debiting in to becarried out off-line, i e without having to call a data central.

A sixth aim of the invention is to enable updating and reading of thetransponder both at the fuelling robot and at other places in a waywhich is acceptable from a security point of view.

SUMMARY OF THE INVENTION

The present invention thus relates to a system for debiting for carts ofautomatic fuelling of vehicles, where a microwave transponder close tothe filling point of the vehicle is used for positioning of a fuellingrobot by position measurement with a sensor in the moving arm of therobot. The transponder also is arranged to contain informationconcerning debiting related to the filling, and a code read by thesensor from the transponder thereby is matched with data from aregistration unit for identification of the owner or the driver of thevehicle.

By owner or driver is meant in the description and the claims, inaddition to the owner or the driver a person who is authorized to fuelthe vehicle and thereby cause an account or the like to be debited.

According to the invention a microwave transponder (0,9-25 GHz) mountedclose to the filling point of the vehicle has been designed so that itboth can be carefully detected with respect to its position, and alsothat it can be read with respect to its data contents, and possibly alsothat it can be reprogrammed. A preferred embodiment of the transponderoperates in that at certain times it gives away a measurement signal,and at other instants communicates with a data signal. By a thusrepeated and time sequential measurement/communication a solution isobtained where the respective signals can be optimized for theirpurpose.

According to the invention, an active and unique action of the driver ofthe vehicle is required, Alternatively that a biometrical sensing of thedriver is made, whereby a higher level system ties together theinformation from the driver with the information that has been stored/isstored in the transponder. In this way there is no longer any demand tosteal the transponder, since a violator with great certainty is not ableto repeat the identification of the driver, and he can thereby not makeany use of a stolen transponder.

The identification of the driver is in a preferred embodiment made suchthat the driver keys in a PIN code (Personal Identification Number) in akeyboard close to the side window of the vehicle, but can also make useof so called biometrical methods such as speech/voice recognition, wherethe driver talks in a code via a microphone close to the vehicle. Otherbiometrical methods include that the driver enters his finger in asensing unit for fingerprints close to the vehicle, alternatively thatthe shape of the palm of the hand is sensed.

In still another embodiment the driver uses a code transmitter or anelectronic reflecting data carrier to transfer an identification signal.Alternatively an object belonging to the driver, such as a card with anoptical code, can be used for the identification.

All the mentioned methods can be used without the driver having to stepout from the vehicle, and thereby give the desired comfort.

The methods with biometry, code transmitter, data carrier and opticalcodes also have the advantage that a code does not have to be memorized.

In a preferred embodiment the transponder can partly or completely bewritten with encrypted data. In this case the advantage of protectionagainst viewing as well as protection against copying between differenttransponders is obtained, whereby the theft demand for the transponderis furthermore decreased. In addition the risk for unauthorized copyingis reduced, e.g.--with transponder data which with a portable reader isdetected from a vehicle provided with a transponder on a parking placeor the like.

Information storage in the transponder is thereby made both in a readmemory and in a write/read memory, whereby the read memory is onlypossible to write once, preferably during manufacturing of thetransponder.

The read memory is written with a code unique to each transponder, a socalled mark, so that each unit is unique and can not be mixed up withothers. Permanent writing methods are preferably used, e.g.--in thatmemory circuits in the data chip of the transponder during manufactureare etched selectively with a laser or are burned by means of codedcurrent pulses in a pattern individual to each transponder.

During writing of encrypted data in the transponder the information isencrypted together with the individual unique mark of the transponderand possibly a random number, in that the mark first is read into theunit that makes the encryption. In this way a unique encrypted code iscreated in the write/read memory of each transponder, even if theinformation in different transponders, e.g.--the code for a certain fuelfilling station, should be alike. This make it much more difficult forunauthorized viewing of the transponder and falsification of it.

Another advantage with the encryption technique is that one does nothave do distribute transponder lists to the filling stations, but onlythe system key that has been used for writing of the data carrier withits encrypted data. By aid of the system key the distributedcommunication units can automatically decide if the data carrier isvalid or not, e.g.--if a prepaid value stored in the transponder islarge enough, if the transponder is valid at the filling place inquestion etc, without a central system having to be called. In this waycommunication costs, long response times and vulnerability of the systemis avoided. Related debiting does not have to be made at the same timeas the fuelling takes place, but can take place before or afterwards asdesired.

Nevertheless so called black lists can be distributed at a relativelylow cost to the fuel filling stations, since they only contain a minorpart of all transponders in the system, and then be locally verifiedagainst the unique mark of the transponder.

To show that the transponder is used by its right owner, the securitymay require that a special code, so called PIN code, is used duringidentification. The PIN code can according to the system describedherein be stored in a secure way in encrypted form in the transponderand be compared with the code that is received from the owner at anentering unit localized close to the fuelling robot. Since the PIN codeis encrypted, the security will be sufficient to permit the verificationto take place locally and without calling.

A PIN code, however limits the flexibility in the identification sincethe person has to key it in each time. It can then be imagined that aPIN code is keyed in more seldom, e.g.--once a month and at the fuellingplace that is most often used. The validity period and a code for thespecial fuelling place is thereby written into the transponder in anencrypted way and can be valid for e.g.--a month or a year.

It will furthermore be more secure to store prepaid monetary values inthe transponder, that can be debited each time fuelling takes place. Thepetrol station does then not have to make a call neither to check thePIN code nor to debit a central account, but can function off line. Thisis especially advantageous in less populated areas and in areas wherethe infrastructure of society is not well developed as regards handlingof electronic payment transactions.

Filling of a new amount into the transponder can take place at theinstant of fuelling by the fact that the position sensor also changestransponder data according to an order from a bill counting machine, abank etc according to the driver's instructions during fuelling, andwhere a credit card or a so called smart card can be used to authorizethe transaction.

The transponder contains in a special embodiment also a write memorythat can not be read, and a fast encryption algorithm in hardware andwithout microprocessor. In the write memory in the transponder one thenwrites in a transponder key in the form of an encrypted number. Thetransponder key is created by the fact that, in the unit that makes thewriting, the first read unique mark of the transponder is encrypted witha higher level system key.

An advantage with the solution with transponder key and hardwarealgorithm is that the system can ensure that nobody can imitate thebehavior of the data carrier, that will become different from onecommunication instant to another. During identification, thecommunication unit sends a random number to the transponder. Thetransponder encrypts the random number with the transponder keyaccording to the encryption alghorithm built in in its hardware, andretransmits the encrypted random number and the mark to thecommunication unit.

The communication unit can now with the mark, the system key and therandom number calculate the transponder key and perform the sameencryption as the data carrier to check that the response of thetransponder is valid.

A special advantage by not using a microprocessor is that the encryptionprocedure becomes faster, especially since no time is needed to seriallyfeed data between the high frequency junction and the circuits of themicroprocessor. Since the serial circuits can operate in synchronismwith the high frequency signals, the communication time is considerablyreduced.

Another advantage by not having a microprocessor in the transponder isthat it can be made much more lean on current, which gives smallerdimensions and lower cost at the same time as both speed andcommunication range will be good.

A portable read/write unit can be used to update the data of thetransponder. The portable unit can thereby stay in connection with adata center via microwaves within a range of about hundred meters.

Data intended for the transponder can comfortably and without wire begathered from the data center to the place where the vehicle is parked,and in the opposite way transponder data can be transferred from thetransponder to the data center. Since the encryption key thereby doesnot exist in the portable unit but is in a higher level system, thetheft demand for the portable unit will be low. It can not be used initself to read and interpret transponder data, but serves as aconvenient communication link for transponder data to and from eachplace within reach of the communication unit from the data center.

The portable unit can also, instead of via microwave communication, beconnected to the data center via a cable.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention shall now be described in greater detail with reference toembodiments of the invention shown in the enclosed drawings, where

FIG. 1 shows a top diagrammatic view of a vehicle at an automatic fuelfilling station,

FIG. 2 shows coding of a transponder,

FIG. 3 shows one form of schematically encrypted writing and reading ofa transponder,

FIG. 4 shows the corresponding writing and reading in greater detail,and

FIG. 5 is a dramatic view that shows communication between transponderand data center via a portable communication unit.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 shows a vehicle 1 close to an automatic fuelling robot 2. Therobot has in the outer end of its movable arm 3 a sensor 4, which isdesigned to measure the position of a transponder 5, so that withguidance of the transponder 5 is able to guide its filling tube 6 to thefilling place 7 of the vehicle.

Close to the vehicle 1 there is a sensor unit 10, which senses theresult of a unique action by the driver, or biometry, such as the keyingin of a PIN code, voice expressions, fingerprints, hand palm patternetc.

The transponder 5 emits continuously, or repeated within certain timeintervals, a modulation code 20 shown in FIG. 2, which includes a phaseand/or amplitude modulated reflex of a microwave signal radiated fromthe sensor 4, e.g., at 2.45 GHz.

The modulation of the transponder 5 is suitably made without adding newenergy to the signal, in that the transponder from the output signal ofthe sensor 4, creates a modulated signal with information sidebands thatare reradiated to the sensor and are there mixed down to base band,e.g.,--32 kHz, for further signal processing.

The sensor 4 can also, in a known way, by transmission of a pulsemodulated microwave signal to the transponder 5 update its datacontents.

In a special embodiment pulse modulation can also be used to activatethe circuits in the transponder 5 that are causing the side bandmodulation, while the circuits revert to a resting state when the pulsemodulation disappears. Since the transponder 5 only to a smaller part ofits time is in the field of a sensor 4 the total current consumptionwill therefore be less than if the modulation takes place continuously.

In the embodiment every modulation code from the transponder is dividedin a synchronizing/measurement sequence 21 and a data sequence 22.

During the synchronizing/measurement sequence 9, phase comparison ismade in the 4 so that angular error signals can be created and broughtforward for steering of the robot. 2 The measurement will be veryaccurate since the frequency and the phase of the transponder signal 21during this time is controlled and unaffected by transponder data andtherefore without uncontrolled spectrum widening. The signal istypically controlled from a crystal in the transponder unit, e.g. by awatch crystal with the frequency 32,768 Hz.

During the data sequence 22 data is transferred from the transponder 5to the sensor 4 in the form of the signals 22a and 22b. In this case thesequence 21 is used for synchronizing of the decoding circuits in therobot 2 that are to interpret the signals 22a and 22b. The transferredsignals 22a and 22b can be coded in a number of different ways, e.gaccording to FSK, DFSK, PSK or DPSK.

The signals 22a and 22b cause such a spectrum widening in the base bandsignal (e.g. around 32 kHz) that the precision of the measurement duringthe time of data sequence 22 will be considerably reduced. This is,however, not a problem, since the measuring sequence 21 is repeatedoften enough so that the robot 2 can not move very far between eachmeasuring instant. A typical intermediate time between two measurementsequences can e.g. be 100 ms, while the measuring sequence in itself canbe in the order of 10 ms.

When the robot 2 has now measured the position of the transponder 5 andhas docked with the filling place 7 of the vehicle, a verification isneeded that the identity of the driver correspondence with data from thetransponder 5.

This takes place in the shown example in that the driver keys in a PINcode in the terminal 8 placed close to the side window. The higher levelsystem has before that received information about which account is to bedebited, and which PIN code that is connected with the account canalternatively be gathered from a data center that is called. Matching ofthe transponder code with the keyed in code leads to the fact that therobot 2 can start its fuelling pump and complete the fuelling. Thematching takes place by means of circuits including a microprocessor orcomputer carried by the robot 2.

In another embodiment voice entering is used, whereby a microphone 11 isinstalled at the sensor unit 10, to which a voice recognition system isconnected. The interpretation of this system of the announced code ofthe driver, e.g. a PIN code in the form of a number of spoken figures,is then matched with the transponder code.

Still another embodiment provide using identification with an opticalsensor close to the vehicle that recognizes an object brought by thedriver such as a card with a bar code or a dot code.

The sensor unit 4 can also be designed to receive signals from a codetransmitter or an electronic data carrier that preferably operates inthe visual, IR, radio or microwave range or alternatively operates withultrasonic technology.

In the transponder 5 mounted on the vehicle also other information canalso be stored, such as about discounts, fuel quality etc, which isespecially advantageous if the filling station is remotely located and anon-called system therefore is used for the debiting.

In the same way it is of advantage if a prepaid value has been stored inthe field of the transponder field 22b, which value is read by thesensor unit 4, is modified according to the cost for the performedfilling and is rewritten in the data field 22b of the transponder.

The above mentioned method to encrypt the transponder information canthereby be used, and then the transponder unique code field signal 22ais used as a so called mark, while the code field signal 22b is used fordata and possible random information.

The PIN code and/or a balance related to the payment is then preferablypre-programmed in the data field 22b of the transponder, whereby thedata field of the transponder 5 is encrypted with information from atransponder unique and not changeable code in the transponder signal22a, an encryption key and possibly a random number. This technology ismore accurately described in connection with FIGS. 3 and 4, where themark 22a corresponds to the field 47 and where the encrypted part of thedata field 22b corresponds to the field 51.

Information to the driver is given on a display unit 9, e g instructionsfor the debiting and information about remaining amount in thetransponder in case it is preprogrammed with money related information.The display unit 9 can also be used in conjunction with the transponder5 being filled with a money related value via a bill reader, creditcard, smart card or other technology.

The sensor unit 10 can thus include a keypad, microphone, video cameraand image processing circuits, fingerprint detector, hand palm sensor,magnetic card reader, so called smart card reader, communication unitfor code transmitter and data carrier etc.

FIGS. 3 and 4 show writing and reading of an encrypted transponder 5according to the invention, although the embodiment with hardwarealgorithm in the transponder is not shown in those figure.

In FIG. 3 two communication units 41, 42 and an associated transponder43 are shown, where the first communication unit 9 is used for encryptedwriting of data into the transponder 43 and the other is used forreading. The transponder 43 thus brings encrypted information from oneplace to another and thereby constitutes a media.

The transponder 43 is designed for communication by means of microwaves44, 45, so that during writing it is illuminated with a coded microwavesignal 45, and during reading it emits a reflex 44 where data, withoutnew energy having been added to the microwave signal 44 is modulatedonto an illumination signal 45 emitted from the communication unit 41,which during the modulation time is essentially continuous. Thecommunication unit 41 can be a sensor 4 at a fuelling station with billreader and/or credit card/smart card reader, and the communication unit42 can be a sensor at a fuelling station which only is intended forfilling of fuel and not for filling money-related amounts to thetransponder 43.

The memory of the data carrier, I.E. the memory of the transponder 43,includes both a read only part 47 with a code unique for the datacarrier, the so-called mark, and a read and write part 48, a so-calledwrite/read memory, where variable data can be written. In thecommunication units 41, 42 there is also one and the same encryption key49.

FIG. 4 shows an embodiment where at least a part 51 of the read/writememory 48 is readable from outside, and where the same data can bestored in different transponders despite that the bit pattern in thememory part 51 through said encryption is different from data carrier todata carrier. Encryption according to what is later mentioned abouthardware key in the transponder can, but does not have to, be includedin the transponder since all applications do not require this function.

The first communication unit 41 first reads the unique mark 47 and thenencrypts the mark and the basic information 56 in the write/read memorypart 51.

When the same system key 49 is used in the second communication unit 42,user data 56 can be recovered 55 in that the mark 47 then read from thetransponder and the system key 49 are used for decryption of theencrypted information 52 that has been stored in the write/read memory51 of the data carrier.

In addition to what has been described so far, one can, in addition tomark 47 and system key 49 also make use of a random number 53 created inthe first communication unit 41 during encryption of the information 52to the memory part 51 of the transponder. In this case the recovereduser data 55 are separated from the recovered random number afterdecryption. Normally the random number 54 is thrown away after recovery.

Encrypted information in the memory part 51 of the transponder can thusconcern validity-classed information intended to be varied only atcertain communication instants, and then represents e.g. validity time,a PIN code, a geographical area or an authority class. It can alsoconcern value-related information intended to be varied at eachcommunication instant, such as monetary value to be used for fuelling.

The algorithm for writing of data in the transponder is normally of asymmetrical type, while an asymmetrical algorithm can be used fortransferring of the system key in itself, possible PIN code, debitingdata etc over the ordinary telecommunication network.

This transfer then takes place between different communication units,alternatively between a called date center and a communication unit.

FIG. 5 shows a portable communication unit 30, which via microwaves at arelatively short distance can write and read information in thetransponder 5 and at relatively large distance also can communicate thisinformation with a data center 31. Because the communication unit 12 isdesigned fully transparent for data, as a result that the encryption keydoes not have to be in the portable unit 30 whereby the theft demand forit is reduced.

The communication unit 30 can also be connected to the data center via aserial line 32 instead of, or as a complement to, the earlier describedmicrowave connection.

What is claimed is:
 1. System for debiting for costs of automaticfuelling of vehicles, said system comprising: a transponder carried by avehicle adjacent a fuel filling point of the vehicle for providing aposition signal for positioning of a fuelling robot, a fuelling robotincluding a movable arm and a sensor for receiving the transponderposition signal for positioning the robot arm relative to the fuelfilling point of the vehicle, wherein the transponder contains codedinformation for use in debiting related to the filling, and wherein saidcoded information includes a code carried by the transponder and read bysaid sensor from the transponder and wherein said code is matched withverification data contained in a registration unit carried by thefuelling robot for identification of the driver of the vehicle and forenabling fuelling and debiting to be carried out when said codedinformation and said verification data correlate in a predetermined way.2. System according to claim 1, wherein said driver identification ismade by recognition of a driver PIN code.
 3. System according to claim2, wherein the sensor includes a keypad for entering of a PIN code. 4.System according to claim 1, wherein the registration unit includes anoptical sensor responsive to a card carried by the driver and bearing adriver identification code.
 5. System according to claim 1, wherein theregistration unit includes a sensor for receiving and interpretingsignals from a code transmitter carried by the driver, wherein the codetransmitter provides coded visual signals.
 6. System according to claim1, wherein the transponder emits a synchronising/measuring sequencesignal having a predetermined controlled frequency and phase formeasurement of the position of the transponder relative to the fuellingrobot, and wherein the transponder also emits a data sequence signalthat includes account information for debiting an account for fueldelivered.
 7. System according to claim 6, wherein the transponderincludes a write/read memory and a payment authorization code that isstored in the write/read memory in the data sequence signal of thetransponder, and wherein the transponder data sequence signal isencrypted with information from a unique and not changeable code carriedby the transponder.
 8. System according to claim 1, wherein thetransponder includes a data field that contains information about aninitial prepaid amount, and wherein after fuelling the vehicle theinitial prepaid amount is modified by rewriting of a correspondinglychanged remaining prepaid amount in the data field.
 9. System accordingto claim 1, wherein the transponder is includes means for receiving arandom number and a hardware algorithm for calculating a number andemitting information, and means for reading the emitted information andfor confirming the information from the transponder independent ofvariation of the information from one instant to another.
 10. Systemaccording to claim 1, including a portable communication unit forwriting information to and reading information from the transponder, andwherein the portable communication unit communicates with thetransponder and with a remote data center.
 11. System according to claim10, wherein the portable communication unit transfers encryptedinformation between the transponder and the remote data centerindependent of any encryption key in the portable communication unit.12. System according to claim 1, wherein said driver identification ismade by recognition of biometrical properties of the driver.
 13. Systemaccording to claim 1, wherein said driver identification is made byrecognition of an object carried by the driver.
 14. System according toclaim 2, wherein the sensor includes a microphone and voice recognitionmeans for receiving and analyzing speech.
 15. System according to claim2, wherein the sensor includes a fingerprint detector.
 16. Systemaccording to claim 2, wherein the sensor includes a hand palm sensor.17. System according to claim 4, wherein the driver identification codeis a bar code.
 18. System according to claim 4, wherein the driveridentification code is a dot code.
 19. System according to claim 1,wherein the registration unit includes a sensor for receiving andinterpreting signals from a code transmitter carried by the driver,wherein the code transmitter provides coded infrared signals.
 20. Systemaccording to claim 1, wherein the registration unit includes a sensorfor receiving and interpreting signals from a code transmitter carriedby the driver, wherein the code transmitter provides coded radiosignals.
 21. System according to claim 20, wherein the radio signals aremicrowave signals.
 22. System according to claim 1, wherein theregistration unit includes a sensor for receiving and interpretingsignals from a code transmitter carried by the driver, wherein the codetransmitter provides coded ultrasonic signals.
 23. System according toclaim 6, wherein the transponder includes a write/read memory and apayment authorization code that is stored in the write/read memory inthe data sequence signal of the transponder, and wherein the transponderdata sequence signal is encrypted with information corresponding with anencryption key.
 24. System according to claim 6, wherein the transponderincludes a write/read memory and a payment authorization code that isstored in the write/read memory in the data sequence signal of thetransponder, and wherein the transponder data sequence signal isencrypted with information from a unique and not changeable randomnumber code carried by the transponder.